General
-
Target
dllhost.bat
-
Size
658KB
-
Sample
250413-h4dtka1lt2
-
MD5
19ff0b8faebbeca871f17a931bffdf1a
-
SHA1
433d123f4733bb8cc867b2110858727e530ec7e4
-
SHA256
c96325777c1db10cc8d7fd4371cd29d8a4fcba2ea5a421d296df36b072355333
-
SHA512
e9a0af471d8cf5799631ae5bbb8e764f9aef885f67001ba9997d938e11b7198e921d945c9eed91441a5a0773145c2e19fae5e2af2a89424c0e3d9fec2c7545fa
-
SSDEEP
12288:C9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyF3:uiBIGkbxqEcjsWiDxguehC2Sw
Malware Config
Extracted
darkcomet
Guest16
christmas-flooring.gl.at.ply.gg:29421
DC_MUTEX-94MC02K
-
InstallPath
cssr.exe
-
gencode
yjfJYytCpL9z
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
dllhost.bat
-
Size
658KB
-
MD5
19ff0b8faebbeca871f17a931bffdf1a
-
SHA1
433d123f4733bb8cc867b2110858727e530ec7e4
-
SHA256
c96325777c1db10cc8d7fd4371cd29d8a4fcba2ea5a421d296df36b072355333
-
SHA512
e9a0af471d8cf5799631ae5bbb8e764f9aef885f67001ba9997d938e11b7198e921d945c9eed91441a5a0773145c2e19fae5e2af2a89424c0e3d9fec2c7545fa
-
SSDEEP
12288:C9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyF3:uiBIGkbxqEcjsWiDxguehC2Sw
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1